Non interactive git clone (ssh fingerprint prompt)

Question

I want to clone a repo in a non-interactive way. When cloning, git asks to confirm host's fingerprint:

The authenticity of host 'bitbucket.org (207.223.240.182)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? no

How do I force "yes" every time this questions pops up? I tried using yes yes | git clone ..., but it doesn't work.

EDIT: Here's a solution: Can I automatically add a new host to known_hosts? (adds entires to known_hosts with ssh-keyscan).

Answer 1

I don't think that is the best solution, but it was a solution for me.

ANSWER:

Adding the domainnames to the known_hosts file using the ssh-keyscan command solved the issue:

ssh-keyscan <enter_domainname_e.g._github.com> >> ~/.ssh/known_hosts

Answer 2

Neither "StrictHostKeyChecking no" nor "ssh-keyscan" options are secure. you need a manual fingerprint validation at some point to avoid MiTM attack if you stick with ssh.

Actually, you have 2 options:

Use https protocol instead of git

It won't ask you for a fingerprint, because ssh is not involved, https is used instead. For a security standpoint you are trusting root certificates installod on your OS. If you're using a minimalist image or Docker, you might need to install the ca-certificates package.

If you really want git+ssh protocol

Do you really need to add the key at runtime? This is not secure because you didn't check the fingerprint and that leaves you open to MiTM attacks. This is not just theoretical, and it has been proven to work.

Before running your script, get the key from github (on your local machine):

ssh-keyscan github.com > githubKey

Generate the fingerprint:

ssh-keygen -lf githubKey

And check it manually against those listed in this page (ok, there you trust https certificates and OpenSSL to bring you the original github website, but it's still a lot better than blindly accepting a public key).

Alternatively (trusting the same https and OpenSSL) you can fetch it from https://api.github.com/meta like this: curl -s https://api.github.com/meta | jq ."ssh_key_fingerprints" | grep RSA. (Thanks @willscripted for this one)

Then, you hardcode it in your script by adding in it:

echo '<copy paste the content of 'cat githubKey' on your machine>'  >> ~/.ssh/known_hosts

before the git clone.

The GitHub public key will only change if they believe it was compromised (or not secure enough). If this is ever the case, you want your script to fail anyway.

Answer 3

Adding the key to .ssh/known_hosts appears to be the right thing to do.

Though when you automate the task you want to make sure the key is not already contained and added on each clone/pull tasks.

This snippet will only add the fingerprint if not already found:

if [ ! -n "$(grep "^bitbucket.org " ~/.ssh/known_hosts)" ]; then ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts 2>/dev/null; fi

Answer 4

I believe a better option here is to back up and empty your ~/.ssh/known_hosts file, manually perform the SSH connection, verifying the IP address and fingerprint, mv ~/.ssh/known_hosts ~/bitbucket_hosts, then use the contents of ~/bitbucket_hostsin your script to automatically append the known fingerprints to the known_hosts file (don't forget to restore the original ~/.ssh/known_hosts).

This step only needs to be performed once (on any machine, I believe), and once you have the fingerprints, you can incorporate it in to your automation script.

Answer 5

While I certainly understand that you want to automate such a process, doing so would be ill-advised. The reason why SSH and related networking subcomponents balk when using a secure protocol is to WARN a human that a system's public key is unknown. This is intentional - the user needs to explicitly inform the system the host is expected. You wouldn't want to auto accept every public key presented to you or part of the security in SSH or TLS/SSL could be compromised. One example is via a man-in-the-middle attack such as when a proxy software presents it's own key in the place of a host you expect.

Proceed with caution.

If you have no fear about the source of the code across the wire, you should explicitly and exclusively use the git:// protocol when cloning - it's authenticationless and in clear text.

Answer 6

As Jeff Hall said, doing so is dangerous as it allows undetected man-in-the-middle attacks. However, you could use the StrictHostKeyChecking no option in ssh to disable checking the host keys. However, I'd be very careful with that option if I were you.